Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
604
Views
0
Helpful
3
Replies

vpn problem

bma
Level 1
Level 1

‎11-01-2001 05:19 PM - edited ‎02-21-2020 11:28 AM

Hi

I am starting to build peer to peer vpn from a 1720 route to PIX 515. We already have vpn clients to PIX515 setup and is working. After setup peer to peer vpn site, I get debug info(please see following info 2). Who can tell me what's for "IPSEC(validate_transform_proposal): proxy identities not supported

ISAKMP: IPSec policy invalidated proposal

ISAKMP (0): SA not acceptable!" ?

On the route, if show crypto ipsec sa, I can get info:(please following info 1) do you think (0.0.0.0/0.0.0.0/1/0)is for proxy identities and makes problem, how to clean up it?

1. show crypto ipsec sa

interface: Ethernet0

Crypto map tag: nolan, local addr. 66.x.x.x

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/1/0)

remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/1/0)

current_peer: 12.x.x.x

PERMIT, flags={origin_is_acl,}

.........

local crypto endpt.: 66.x.x.x, remote crypto endpt.: 12.x.x.x

path mtu 1500, media mtu 1500

current outbound spi: 0

.......

local ident (addr/mask/prot/port): (10.20.x.x/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.30.x.x/255.255.255.0/0/0)

current_peer: 12.x.x.x

PERMIT, flags={origin_is_acl,}

.......

local crypto endpt.: 66.x.x.x, remote crypto endpt.: 12.x.x.x

path mtu 1500, media mtu 1500

current outbound spi: 0

...........

2). debug info from PIX

ISAKMP (0): processing SA payload. message ID = 2967232329

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_DES

ISAKMP: attributes in transform:

ISAKMP: encaps is 1

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (basic) of 3600

ISAKMP: SA life type in kilobytes

ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0

ISAKMP: authenticator is HMAC-MD5

ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) dest= 12.x.x.x, src= 66.x.x.x,

dest_proxy= 0.0.0.0/0.0.0.0/1/0 (type=4),

src_proxy= 0.0.0.0/0.0.0.0/1/0 (type=4),

protocol= ESP, transform= esp-des esp-md5-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

IPSEC(validate_transform_proposal): proxy identities not supported

IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) dest= 12.x.x.x, src= 66.x.x.x,

dest_proxy= 0.0.0.0/0.0.0.0/1/0 (type=4),

src_proxy= 0.0.0.0/0.0.0.0/1/0 (type=4),

protocol= ESP, transform= esp-des esp-md5-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

IPSEC(validate_transform_proposal): proxy identities not supported

ISAKMP: IPSec policy invalidated proposal

ISAKMP (0): SA not acceptable!

......

thanks

ben

Labels:
0 Helpful
3 Replies 3

joels
Level 1
Level 1

‎11-02-2001 08:02 AM

It sounds like your dynamic crypto map is picking up the peer-to-peer session. Make sure your dynamic map ID is higher than any other peer-to-peer crypto map ID. The ID is used as a priority, so the lowest crypto map ID will be checked against that transform first.

0 Helpful

bma
Level 1
Level 1
In response to joels

‎11-02-2001 11:32 AM

Hi Joels

After change id 50 to 10 for peer map, that error fixed. I got debug info from PIX, please see following..... From debug info, tunnel looks at ok, but I still cannot ping or make any connection from both side. what do you think? I have aaa RADIUS runnig,peer to peer how to pass RADIUS check? Or do I have to do disable RADIUS for peer network? I still got retransmitting phase 2... or phase 1 from both side debug info, what do you think?

I have access-list permit for 10.20.0.0 and 10.30.0.0 network.

Thank you very much!

Ben

ISAKMP (0): Creating IPSec SAs

inbound SA from 66.x.x.x to 12.x.x.x (proxy 10.20.0.0 to 10.30.0.0)

has spi 867901758 and conn_id 4 and flags 4

lifetime of 3600 seconds

lifetime of 4608000 kilobytes

outbound SA from 12.x.x.x to 66.x.x.x (proxy 10.30.0.0 to 10.20.0.0)

has spi 329093523 and conn_id 3 and flags 4

lifetime of 3600 seconds

lifetime of 4608000 kilobytesIPSEC(key_engine): got a queue event...

IPSEC(initialize_sas): ,

(key eng. msg.) dest= 12.x.x.x, src= 66.x.x.x,

dest_proxy= 10.30.0.0/255.255.255.0/0/0 (type=4),

src_proxy= 10.20.0.0/255.255.255.0/0/0 (type=4),

protocol= ESP, transform= esp-des esp-md5-hmac ,

lifedur= 3600s and 4608000kb,

spi= 0x33bb213e(867901758), conn_id= 4, keysize= 0, flags= 0x4

IPSEC(initialize_sas): ,

(key eng. msg.) src= 12.x.x.x, dest= 66.x.x.x,

src_proxy= 10.30.0.0/255.255.255.0/0/0 (type=4),

dest_proxy= 10.20.0.0/255.255.255.0/0/0 (type=4),

protocol= ESP, transform= esp-des esp-md5-hmac ,

lifedur= 3600s and 4608000kb,

spi= 0x139d9193(329093523), conn_id= 3, keysize= 0, flags= 0x4

return status is IKMP_NO_ERROR

ISAKMP (0): retransmitting phase 2...

0 Helpful

shadokin
Level 1
Level 1

‎11-07-2001 10:24 AM

Yup same problem here! I am doing a similar setup with a PIX 515 and a 7204. I also have a bunch of dynamic clients connecting just fine to my PIX.

Also if anyone knows how to get the Unified Client to work behind a NATed firewall/router (Netscreen 100) let me know! Thank!

0 Helpful
Customers Also Viewed These Support Documents